Service Control Spawned via Script Interpreter

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Privilege EscalationTactic: Defense EvasionTactic: ExecutionData Source: Elastic EndgameData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender for EndpointData Source: CrowdstrikeLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Create or Modify System Process (T1543)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

↳ Windows Management Instrumentation (T1047)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ System Binary Proxy Execution (T1218)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-m365_defender.event-*logs-system.security*logs-windows.forwarded*winlogbeat-*

Related Integrations

endpoint(opens in a new tab or window)

system(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

Query

/* This rule is not compatible with Sysmon due to user.id issues */

process where host.os.type == "windows" and event.type == "start" and
  (process.name : "sc.exe" or ?process.pe.original_file_name == "sc.exe") and
  process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe",
                         "wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and
  process.args:("config", "create", "start", "delete", "stop", "pause") and
  /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */
  not user.id : "S-1-5-18"